On 24 April 2013, the EU Presidency, currently held by Ireland, prepared a Note to the Committee of Permanent Representatives (COREPER) regarding the proposed General Data Protection Regulation (Regulation). The Note was leaked and published on Statewatch's website. Statewatch is a civil liberties organisation. In the Note, the Presidency discusses "pivotal issues, the resolution of which requires political guidance," including the scope of the Regulation and the requirement for "explicit"' consent. The Annex to the Note proposes specific drafting amendments.
The Note focusses on five key issues:
- Material scope
- Territorial scope (or jurisdiction)
- Consent
- Data processing principles
- Freedom of expression and access to public documents
The proposed Regulation excludes data processing where the
activity is outside the scope of EU law, and processing by EU
institutions and law enforcement, both of which are considered
problematic. Concern was also raised about the exclusion of
household uses, which as drafted would exempt processing" by a
natural person without any gainful interest in the course of its
own exclusively personal or household activity." Most
delegations wanted the scope of the household exemption clarified,
and the Presidency proposed a compromise extending the provision to
all social networking and online activities carried on in the
context of personal and household activity.
The Note acknowledged that the territorial scope of the Regulation
is ambitious by seeking to govern "the offering of goods or
services (...) to data subjects in the Union," or "the
monitoring of their behaviour as far as their behaviour takes place
within the European Union." The Presidency suggested setting
out factors that can indicate whether a particular offer is aimed
towards EU residents, even though many delegations questioned the
practicality of such a wide jurisdictional scope, doubting whether
non-EU controllers will be aware of and willing to comply with the
Regulation.
The Presidency acknowledged that the proposed definition of consent is beyond that required under the 1995 Data Protection Directive, and many delegations view the new requirement for explicit consent as unrealistic and of little value, especially on the Internet. The Presidency proposed replacing "explicit" with "unambiguous" for all non-sensitive personal data, and removing the exclusion of consent obtained in relationships with an imbalance of power, because it would lead to legal uncertainty.
While the Presidency noted that the data protection principles are largely the same as those within the 1995 Directive, a new principle of data security and confidentiality was added, and consequently there should be further discussion in light of processing of data for historic, statistical, or scientific or archiving purposes.
Lastly, the Presidency suggested adding articles enabling Member States to reconcile the right of data protection with the other fundamental rights of freedom of expression and freedom of information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.